News
Federal Data Breach Law Unlikely to Pass This Year, Say Analysts
By Colby Adams
printTwo measures passed by a Congressional committee this month that could change the way banks notify customers of data breaches are unlikely to become law this year, according to a Senate staffer. The Data Breach Notification Act (S.139), introduced by Sen. Dianne Feinstein (D-CA), would require financial institutions and other companies to notify U.S. residents of instances when their personally identifiable information has been breached or exposed. The Senate Judiciary Committee approved the bill on Nov. 5 by a 14-2 vote. The Personal Data Privacy and Security Act (S.1490), which also passed committee vote on Nov. 5, would extend the...
TO READ THE FULL STORY
Related News
The disclosure that U.S. officials have solicited and directly received data from foreign banks on transactions tied to Iran is spurring talks among European lawmakers, according to Alexander Alvaro, an EU Parliament supervisor.
Two agencies at the U.S. Treasury Department have done a poor job protecting sensitive Bank Secrecy Act information from hackers and potential data breaches, a government watchdog said Friday.
Congress is considering a request that would allow the Federal Trade Commission to levy fines against companies with poor controls over sensitive customer data, according to a report released Tuesday.
TJX Cos. agreed Thursday to make broad security improvements as part of a settlement with the Federal Trade Commission, one year after hackers stole the credit and debit card numbers of millions of customers in the largest known data breach for a U.S. retailer.
TJX will provide as much as $40.9 million in pretax funds to compensate U.S. Visa issuers for the cost of reporting the breach and replacing credit and debit cards exposed to hackers. Between 45.7 million and 100 million consumer records were exposed in the breach of TJX's computer systems.
A report issued by San Diego, Calif.-based ID Analytics, which makes ID theft software, looked at about a dozen data breaches involving Social Security numbers and other identifying information.
A security breach at retailer TJX Cos. last year cost banks that reissued payment cards as much as $83 million, according to estimates by credit card company Visa USA. Credit card company officials say the breach exposed about 100 million credit and debit card numbers.
The Bush administration suffered a setback Friday when a federal judge rejected its effort to block a civil lawsuit against an international banking consortium that provides the administration with data for terrorist investigations.
Financial institutions have been slow to adopt biometric technologies that identify people by physical characteristics, such as fingerprints, as part of their information security programs.
Banking employees can't always get standard photo IDs or signatures from clients, particularly if the person who wants to open an account or transact business is disabled or illiterate.
The request follows an April 23 government report on ID theft that recommended establishing national data protection standards for the private sector and reducing the use of Social Security numbers among government agencies.
Financial institutions, in attempting to minimize data breaches, often focus their budgets on systems meant to foil sophisticated hackers rather than guard against employee mistakes, such as losing a mobile device, and other vulnerabilities that cause most breaches.
In testimony before the House Financial Services Committee, online payment processors, data security professionals and other experts called for the licensing of Internet gambling businesses but could not agree on whether current technology can successfully verify the identities of online bettors.
As more financial institutions roll out mobile banking programs to extend their online services, they may be generating fresh opportunities for identity thieves, money launderers and financiers of terrorism, say privacy lawyers and data security consultants.
Seeking to combat identity theft, federal and state lawmakers have advanced a number of initiatives that would restrict how banks and other companies use Social Security numbers to identify consumers.
Plans for a national identification system that would require personal information to be stored in state-controlled databases will boost bank costs associated with large-scale data breaches, according to privacy consultants and information policy analysts.
Both measures would require retailers and other companies that handle customer data to follow the same breach notification rules that banks must follow.
The Senate Judiciary Committee is scheduled to vote Thursday on three bills that would establish rules for notifying consumers about identity theft, a spokesperson for Sen. Patrick Leahy said.
To contain the expansive costs of data breaches, some financial institutions are limiting their breach notifications, which can account for as much as a third of the total expense, according to an industry researcher.
Any federal data security legislation that reaches the congressional floor this year likely will require banks to notify customers of breaches only if there is a risk of theft, according to banking groups and consumer advocates.